fdb5556eddfa281438d3c7ab2542239c05888fe39077f8d1e6824cb6dd47f3e9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2022, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a.exe
Size

3.5MB
MD5

24de00559463ef4103032e24c58ce35d
SHA1

d61a4387466a0c999981086c2c994f2a80193ce3
SHA256

9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a
SHA512

c314848a48323f0b8a8728f6aaf5dbbe1e18299fcaf6d6c24057df357b891f40a0f9d2608670ae80ee806a5abca500e22260179ca9e2d87b9378feeb934169f8
SSDEEP

98304:QEbtxe9iv3M25is9fzEa0VP9b+jIGz+SBJYS+rm1myI:7t8Iv3n19fQa0995q+SB+ba1mb

Score

8^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
4404	Test.exe
4124	flashcenter_pp_ax_install_cn.exe
1500	Test.exe
2256	D1B700B9-86BD-4C0F-A422-5775D55F4E05
360	InstallFlashPlayer.exe
3732	InstallFlashPlayer.exe
4288	6C289526-1E25-4EDF-BBD2-94BBECE540D4
2784	InstallFlashPlayer.exe
4688	FlashHelperService.exe
4052	FlashHelperService.exe
4976	026D542E-E58E-4750-905B-7724B01700F3
2800	FlashCenterSa.exe
384	FlashCenterSa.exe

Registers COM server for autorun 1 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\system32\\Macromed\\Flash\\Flash64_34_0_0_267.ocx"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\system32\\Macromed\\Flash\\Flash64_34_0_0_267.ocx"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32\ = "C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_34_0_0_267_ActiveX.exe"	InstallFlashPlayer.exe

Sets file execution options in registry 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_34_0_0_267_pepper.exe	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_34_0_0_267_ActiveX.exe\DisableExceptionChainValidation = "0"	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_34_0_0_267_ActiveX.exe\DisableExceptionChainValidation = "0"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe\DisableExceptionChainValidation = "0"	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_34_0_0_267_pepper.exe\DisableExceptionChainValidation = "0"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_34_0_0_267_pepper.exe	6C289526-1E25-4EDF-BBD2-94BBECE540D4
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_34_0_0_267_pepper.exe\DisableExceptionChainValidation = "0"	6C289526-1E25-4EDF-BBD2-94BBECE540D4
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_34_0_0_267_ActiveX.exe	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_34_0_0_267_ActiveX.exe	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe\DisableExceptionChainValidation = "0"	InstallFlashPlayer.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	026D542E-E58E-4750-905B-7724B01700F3
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D1B700B9-86BD-4C0F-A422-5775D55F4E05
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	InstallFlashPlayer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	InstallFlashPlayer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6C289526-1E25-4EDF-BBD2-94BBECE540D4
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	InstallFlashPlayer.exe

Loads dropped DLL 64 IoCs

pid	Process
4404	Test.exe
1500	Test.exe
2256	D1B700B9-86BD-4C0F-A422-5775D55F4E05
2256	D1B700B9-86BD-4C0F-A422-5775D55F4E05
360	InstallFlashPlayer.exe
360	InstallFlashPlayer.exe
360	InstallFlashPlayer.exe
3732	InstallFlashPlayer.exe
3732	InstallFlashPlayer.exe
3732	InstallFlashPlayer.exe
3732	InstallFlashPlayer.exe
360	InstallFlashPlayer.exe
360	InstallFlashPlayer.exe
360	InstallFlashPlayer.exe
4288	6C289526-1E25-4EDF-BBD2-94BBECE540D4
4288	6C289526-1E25-4EDF-BBD2-94BBECE540D4
4288	6C289526-1E25-4EDF-BBD2-94BBECE540D4
2784	InstallFlashPlayer.exe
2784	InstallFlashPlayer.exe
2784	InstallFlashPlayer.exe
4288	6C289526-1E25-4EDF-BBD2-94BBECE540D4
4288	6C289526-1E25-4EDF-BBD2-94BBECE540D4
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3
4976	026D542E-E58E-4750-905B-7724B01700F3

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	D1B700B9-86BD-4C0F-A422-5775D55F4E05
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InstallFlashPlayer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InstallFlashPlayer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6C289526-1E25-4EDF-BBD2-94BBECE540D4
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InstallFlashPlayer.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	FlashCenterSa.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe	flashcenter_pp_ax_install_cn.exe
File created	C:\Windows\system32\Macromed\Temp\{3064C40F-2B43-4A3B-8784-6414903B5B5C}\fpb.tmp	InstallFlashPlayer.exe
File created	C:\Windows\system32\Macromed\Flash\Flash64_34_0_0_267.ocx	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash32_34_0_0_267.ocx	InstallFlashPlayer.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_34_0_0_267_ActiveX.exe	InstallFlashPlayer.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashInstall32.log	InstallFlashPlayer.exe
File created	C:\Windows\system32\Macromed\Temp\{7A636182-855B-43B9-80F1-59182A667237}\fpb.tmp	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_34_0_0_267_pepper.exe	6C289526-1E25-4EDF-BBD2-94BBECE540D4
File created	C:\Windows\system32\Macromed\Flash\flashupdater.cfg	FlashHelperService.exe
File created	C:\Windows\SysWOW64\Macromed\Temp\{592E4751-40A4-4416-B6DB-2ABB7BEBE12F}\InstallFlashPlayer.exe	D1B700B9-86BD-4C0F-A422-5775D55F4E05
File created	C:\Windows\system32\Macromed\Flash\FlashUtil64_34_0_0_267_ActiveX.dll	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Temp\{63A84E58-BCC8-46AD-B9B0-937903F30E58}\fpb.tmp	6C289526-1E25-4EDF-BBD2-94BBECE540D4
File opened for modification	C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl	InstallFlashPlayer.exe
File created	C:\Windows\system32\Macromed\Flash\FlashUtil64_34_0_0_267_pepper.dll	InstallFlashPlayer.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\FlashInstall64.log	InstallFlashPlayer.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\flashupdater.cfg	FlashHelperService.exe
File created	C:\Windows\SysWOW64\Macromed\Temp\{69263BD8-CDB1-4441-B955-5C8C172C3F85}\fpb.tmp	D1B700B9-86BD-4C0F-A422-5775D55F4E05
File opened for modification	C:\Windows\system32\Macromed\Flash\Flash64_34_0_0_267.ocx	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_34_0_0_267_ActiveX.dll	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\FlashPlayerApp.exe	InstallFlashPlayer.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashInstall32.log	D1B700B9-86BD-4C0F-A422-5775D55F4E05
File created	C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer32_34_0_0_267.dll	6C289526-1E25-4EDF-BBD2-94BBECE540D4
File opened for modification	C:\Windows\system32\Macromed\Flash\flashupdater.cfg	FlashHelperService.exe
File created	C:\Windows\system32\Macromed\Flash\FlashUtil64_34_0_0_267_ActiveX.exe	InstallFlashPlayer.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\FlashUtil64_34_0_0_267_ActiveX.exe	InstallFlashPlayer.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashInstall32.log	6C289526-1E25-4EDF-BBD2-94BBECE540D4
File created	C:\Windows\system32\Macromed\Flash\manifest.json	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Temp\{05612427-AF1B-46AE-9076-4D1E5542983B}\fpb.tmp	D1B700B9-86BD-4C0F-A422-5775D55F4E05
File created	C:\Windows\system32\Macromed\Temp\{0B0EE7FC-623F-401A-AF18-C8E5C0CADDD9}\fpb.tmp	InstallFlashPlayer.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\FlashInstall64.log	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_34_0_0_267_ActiveX.exe	InstallFlashPlayer.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash32_34_0_0_267.ocx	InstallFlashPlayer.exe
File created	C:\Windows\system32\Macromed\Temp\{8F7E2AA2-4B40-4F68-9BDC-A6D170804428}\fpb.tmp	InstallFlashPlayer.exe
File created	C:\Windows\system32\Macromed\Flash\pepflashplayer64_34_0_0_267.dll	InstallFlashPlayer.exe
File opened for modification	C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl	6C289526-1E25-4EDF-BBD2-94BBECE540D4
File opened for modification	C:\Windows\SysWOW64\FlashPlayerApp.exe	6C289526-1E25-4EDF-BBD2-94BBECE540D4
File created	C:\Windows\SysWOW64\Macromed\Temp\{BDDD5F8E-FEBC-47E5-B97E-9C03CF5B0C3D}\InstallFlashPlayer.exe	6C289526-1E25-4EDF-BBD2-94BBECE540D4
File created	C:\Windows\system32\Macromed\Flash\FlashUtil64_34_0_0_267_pepper.exe	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\flashupdater.cfg	FlashHelperService.exe
File created	C:\Windows\SysWOW64\Macromed\Temp\{B4046C84-11D5-430E-AC06-B40D30DE7B1B}\fpb.tmp	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Temp\{E96A23F5-7F8C-4F9B-992A-FCA7E4D3B053}\InstallFlashPlayer.exe	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Temp\{926BA85C-A32F-4B42-9A06-AA044D893EE0}\fpb.tmp	6C289526-1E25-4EDF-BBD2-94BBECE540D4
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_34_0_0_267_pepper.dll	6C289526-1E25-4EDF-BBD2-94BBECE540D4
File created	C:\Windows\SysWOW64\Macromed\Flash\manifest.json	6C289526-1E25-4EDF-BBD2-94BBECE540D4
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe	flashcenter_pp_ax_install_cn.exe
File created	C:\Windows\SysWOW64\Macromed\Temp\{2ECCA471-4E8F-40B1-8185-092546F121C5}\fpb.tmp	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl	InstallFlashPlayer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\FlashCenter\imageformats\qjpeg.dll	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\libEGL.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\Qt5Xml.dll	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\Licences\QT Libraries\license.lgpl.txt	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\Licences\QT Libraries\license.lgpl.txt	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\FlashCenterUninst.exe	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\imageformats\qjpeg.dll	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\__tmp_rar_sfx_access_check_240544562	9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a.exe
File opened for modification	C:\Program Files (x86)\FlashCenter\images\compress.ico	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\images\fc_game.ico	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\MemoryUpdate.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\Licences\Duilib	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\images\merge.ico	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\FlashSettingsService.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\libEGL.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\msvcr120.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\swiftshader\libEGL.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\Licences\Chromium Embedded Framework	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\images\compress.ico	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\FCLogin.exe	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\FlashRepair.exe	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\msvcp120.dll	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\ssleay32.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\Licences\libcurl	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\icudtl.dat	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\v8_context_snapshot.bin	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\imageformats\qgif.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\images\pdf.ico	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\FCLogin.exe	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\Qt5Sql.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\icudtl.dat	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\Licences\Duilib\LICENSE	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\widevinecdmadapter.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\servicelog.txt	FlashCenterSa.exe
File opened for modification	C:\Program Files (x86)\FlashCenter\Licences\QT Libraries	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\images\merge.ico	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\Update.exe	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\widevinecdmadapter.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\Qt5Core.dll	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\Qt5Widgets.dll	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\log.dll	9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a.exe
File created	C:\Program Files (x86)\FlashCenter\images\pdfToExcel.ico	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\Licences\OpenSSL\LICENSE	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\FCBrowserManager.exe	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\Qt5Network.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\images\pdfToImages.ico	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\Licences\Duilib\LICENSE	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\Update.exe	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\snapshot_blob.bin	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\Qt5Network.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\log.dll.dat	Test.exe
File opened for modification	C:\Program Files (x86)\FlashCenter\devtools_resources.pak	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\images\swf.ico	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\natives_blob.bin	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\snapshot_blob.bin	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\FCPlay.exe	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\imageformats\qico.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\FlashCenter\locales	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\cef_extensions.pak	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\images\pdfToOther.ico	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\locales\zh-CN.pak	026D542E-E58E-4750-905B-7724B01700F3
File created	C:\Program Files (x86)\FlashCenter\BrowserModule.dll	026D542E-E58E-4750-905B-7724B01700F3
File opened for modification	C:\Program Files (x86)\flashcenter_pp_ax_install_cn.exe	9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a.exe
File opened for modification	C:\Program Files (x86)\FlashCenter\Licences	026D542E-E58E-4750-905B-7724B01700F3

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	wmplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ	wmplayer.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
1476	taskkill.exe
2392	taskkill.exe
4176	taskkill.exe
952	taskkill.exe
3156	taskkill.exe
2684	taskkill.exe
836	taskkill.exe
1444	taskkill.exe
2372	taskkill.exe
5004	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil64_34_0_0_267_ActiveX.exe"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWOW64\\Macromed\\Flash"	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\system32\\Macromed\\Flash"	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	InstallFlashPlayer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	InstallFlashPlayer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil32_34_0_0_267_ActiveX.exe"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FlashHelperService.exe = "11000"	FlashHelperService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	InstallFlashPlayer.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\miniconfig	FlashHelperService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\miniconfig\guid	FlashHelperService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	FlashCenterSa.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	FlashCenterSa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "0"	FlashCenterSa.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2fb4ccdc-0000-0000-0000-d01200000000}	FlashCenterSa.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	FlashCenterSa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2fb4ccdc-0000-0000-0000-d01200000000}\MaxCapacity = "15140"	FlashCenterSa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2fb4ccdc-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	FlashCenterSa.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\CLSID	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.27\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37EF68ED-16D3-4191-86BF-AB731D75AAB7}\1.0\FLAGS	FlashCenterSa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.12\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sol\Content Type = "text/plain"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.31	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.30\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\CLSID	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.27\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\Content Type = "application/x-shockwave-flash"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\FLAGS\ = "0"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.1"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ = "ISimpleTextSelection"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.26\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.34"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win64	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR\ = "C:\\Windows\\system32\\Macromed\\Flash"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash32_34_0_0_267.ocx"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.32	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.29\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.20\CLSID	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.28\CLSID	InstallFlashPlayer.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	flashcenter_pp_ax_install_cn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	flashcenter_pp_ax_install_cn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	flashcenter_pp_ax_install_cn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	flashcenter_pp_ax_install_cn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	flashcenter_pp_ax_install_cn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	flashcenter_pp_ax_install_cn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	flashcenter_pp_ax_install_cn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	flashcenter_pp_ax_install_cn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4124	flashcenter_pp_ax_install_cn.exe
4124	flashcenter_pp_ax_install_cn.exe
4228	wmplayer.exe
4228	wmplayer.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4444	dllhost.exe
4444	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4420	dllhost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	3156	taskkill.exe
Token: SeDebugPrivilege	5004	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	836	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	4176	taskkill.exe
Token: SeSecurityPrivilege	4976	026D542E-E58E-4750-905B-7724B01700F3

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4124	flashcenter_pp_ax_install_cn.exe
4124	flashcenter_pp_ax_install_cn.exe
4124	flashcenter_pp_ax_install_cn.exe
4124	flashcenter_pp_ax_install_cn.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe
4420	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4404	4824	9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a.exe	80
PID 4824 wrote to memory of 4404	4824	9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a.exe	80
PID 4824 wrote to memory of 4404	4824	9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a.exe	80
PID 4824 wrote to memory of 4124	4824	9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a.exe	82
PID 4824 wrote to memory of 4124	4824	9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a.exe	82
PID 4824 wrote to memory of 4124	4824	9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a.exe	82
PID 1500 wrote to memory of 4228	1500	Test.exe	90
PID 1500 wrote to memory of 4228	1500	Test.exe	90
PID 1500 wrote to memory of 4228	1500	Test.exe	90
PID 1500 wrote to memory of 4228	1500	Test.exe	90
PID 1500 wrote to memory of 4228	1500	Test.exe	90
PID 4228 wrote to memory of 4444	4228	wmplayer.exe	93
PID 4228 wrote to memory of 4444	4228	wmplayer.exe	93
PID 4228 wrote to memory of 4444	4228	wmplayer.exe	93
PID 4228 wrote to memory of 4444	4228	wmplayer.exe	93
PID 4228 wrote to memory of 4444	4228	wmplayer.exe	93
PID 4228 wrote to memory of 4420	4228	wmplayer.exe	94
PID 4228 wrote to memory of 4420	4228	wmplayer.exe	94
PID 4228 wrote to memory of 4420	4228	wmplayer.exe	94
PID 4228 wrote to memory of 4420	4228	wmplayer.exe	94
PID 4228 wrote to memory of 4420	4228	wmplayer.exe	94
PID 4124 wrote to memory of 2256	4124	flashcenter_pp_ax_install_cn.exe	97
PID 4124 wrote to memory of 2256	4124	flashcenter_pp_ax_install_cn.exe	97
PID 4124 wrote to memory of 2256	4124	flashcenter_pp_ax_install_cn.exe	97
PID 2256 wrote to memory of 360	2256	D1B700B9-86BD-4C0F-A422-5775D55F4E05	98
PID 2256 wrote to memory of 360	2256	D1B700B9-86BD-4C0F-A422-5775D55F4E05	98
PID 2256 wrote to memory of 360	2256	D1B700B9-86BD-4C0F-A422-5775D55F4E05	98
PID 360 wrote to memory of 3732	360	InstallFlashPlayer.exe	99
PID 360 wrote to memory of 3732	360	InstallFlashPlayer.exe	99
PID 3732 wrote to memory of 1348	3732	InstallFlashPlayer.exe	100
PID 3732 wrote to memory of 1348	3732	InstallFlashPlayer.exe	100
PID 360 wrote to memory of 5116	360	InstallFlashPlayer.exe	102
PID 360 wrote to memory of 5116	360	InstallFlashPlayer.exe	102
PID 360 wrote to memory of 5116	360	InstallFlashPlayer.exe	102
PID 2256 wrote to memory of 3796	2256	D1B700B9-86BD-4C0F-A422-5775D55F4E05	104
PID 2256 wrote to memory of 3796	2256	D1B700B9-86BD-4C0F-A422-5775D55F4E05	104
PID 2256 wrote to memory of 3796	2256	D1B700B9-86BD-4C0F-A422-5775D55F4E05	104
PID 4124 wrote to memory of 4288	4124	flashcenter_pp_ax_install_cn.exe	106
PID 4124 wrote to memory of 4288	4124	flashcenter_pp_ax_install_cn.exe	106
PID 4124 wrote to memory of 4288	4124	flashcenter_pp_ax_install_cn.exe	106
PID 4288 wrote to memory of 2784	4288	6C289526-1E25-4EDF-BBD2-94BBECE540D4	107
PID 4288 wrote to memory of 2784	4288	6C289526-1E25-4EDF-BBD2-94BBECE540D4	107
PID 2784 wrote to memory of 4484	2784	InstallFlashPlayer.exe	108
PID 2784 wrote to memory of 4484	2784	InstallFlashPlayer.exe	108
PID 4288 wrote to memory of 4104	4288	6C289526-1E25-4EDF-BBD2-94BBECE540D4	110
PID 4288 wrote to memory of 4104	4288	6C289526-1E25-4EDF-BBD2-94BBECE540D4	110
PID 4288 wrote to memory of 4104	4288	6C289526-1E25-4EDF-BBD2-94BBECE540D4	110
PID 4124 wrote to memory of 4688	4124	flashcenter_pp_ax_install_cn.exe	112
PID 4124 wrote to memory of 4688	4124	flashcenter_pp_ax_install_cn.exe	112
PID 4124 wrote to memory of 4688	4124	flashcenter_pp_ax_install_cn.exe	112
PID 4124 wrote to memory of 4976	4124	flashcenter_pp_ax_install_cn.exe	114
PID 4124 wrote to memory of 4976	4124	flashcenter_pp_ax_install_cn.exe	114
PID 4124 wrote to memory of 4976	4124	flashcenter_pp_ax_install_cn.exe	114
PID 4976 wrote to memory of 2372	4976	026D542E-E58E-4750-905B-7724B01700F3	115
PID 4976 wrote to memory of 2372	4976	026D542E-E58E-4750-905B-7724B01700F3	115
PID 4976 wrote to memory of 2372	4976	026D542E-E58E-4750-905B-7724B01700F3	115
PID 4976 wrote to memory of 952	4976	026D542E-E58E-4750-905B-7724B01700F3	118
PID 4976 wrote to memory of 952	4976	026D542E-E58E-4750-905B-7724B01700F3	118
PID 4976 wrote to memory of 952	4976	026D542E-E58E-4750-905B-7724B01700F3	118
PID 4976 wrote to memory of 3156	4976	026D542E-E58E-4750-905B-7724B01700F3	120
PID 4976 wrote to memory of 3156	4976	026D542E-E58E-4750-905B-7724B01700F3	120
PID 4976 wrote to memory of 3156	4976	026D542E-E58E-4750-905B-7724B01700F3	120
PID 4976 wrote to memory of 5004	4976	026D542E-E58E-4750-905B-7724B01700F3	122
PID 4976 wrote to memory of 5004	4976	026D542E-E58E-4750-905B-7724B01700F3	122

C:\Users\Admin\AppData\Local\Temp\9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a.exe
"C:\Users\Admin\AppData\Local\Temp\9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Program Files (x86)\Test.exe
  "C:\Program Files (x86)\Test.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:4404
- C:\Program Files (x86)\flashcenter_pp_ax_install_cn.exe
  "C:\Program Files (x86)\flashcenter_pp_ax_install_cn.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\450E1060-7822-48C9-BC00-C15E796DCB85\D1B700B9-86BD-4C0F-A422-5775D55F4E05
    "C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\450E1060-7822-48C9-BC00-C15E796DCB85\D1B700B9-86BD-4C0F-A422-5775D55F4E05" -install -iv 8
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\SysWOW64\Macromed\Temp\{592E4751-40A4-4416-B6DB-2ABB7BEBE12F}\InstallFlashPlayer.exe
      "C:\Windows\system32\Macromed\Temp\{592E4751-40A4-4416-B6DB-2ABB7BEBE12F}\InstallFlashPlayer.exe" -install -iv 8 -au 4294967295
      4⤵
      Executes dropped EXE
      Sets file execution options in registry
      Checks computer location settings
      Loads dropped DLL
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:360
    - - C:\Windows\SysWOW64\Macromed\Temp\{E96A23F5-7F8C-4F9B-992A-FCA7E4D3B053}\InstallFlashPlayer.exe
        
        "C:\Windows\system32\Macromed\Temp\{E96A23F5-7F8C-4F9B-992A-FCA7E4D3B053}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 8 -au 4294967295
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Sets file execution options in registry
        Checks computer location settings
        Loads dropped DLL
        Checks whether UAC is enabled
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\Macromed\Temp\{E96A23F5-7F8C-4F9B-992A-FCA7E4D3B053}\InstallFlashPlayer.exe" >> NUL
        6⤵
        
        PID:1348
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\Macromed\Temp\{592E4751-40A4-4416-B6DB-2ABB7BEBE12F}\InstallFlashPlayer.exe" >> NUL
        5⤵
        
        PID:5116
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\450E1060-7822-48C9-BC00-C15E796DCB85\D1B700B9-86BD-4C0F-A422-5775D55F4E05" >> NUL
      4⤵
      PID:3796
- - C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\3A799F38-DC9D-48B0-92DB-90325816F5E4\6C289526-1E25-4EDF-BBD2-94BBECE540D4
    "C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\3A799F38-DC9D-48B0-92DB-90325816F5E4\6C289526-1E25-4EDF-BBD2-94BBECE540D4" -install -iv 8
    3⤵
    - Executes dropped EXE
    - Sets file execution options in registry
    - Checks computer location settings
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\SysWOW64\Macromed\Temp\{BDDD5F8E-FEBC-47E5-B97E-9C03CF5B0C3D}\InstallFlashPlayer.exe
      "C:\Windows\system32\Macromed\Temp\{BDDD5F8E-FEBC-47E5-B97E-9C03CF5B0C3D}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 8 -au 4294967295
      4⤵
      Executes dropped EXE
      Sets file execution options in registry
      Checks computer location settings
      Loads dropped DLL
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\Macromed\Temp\{BDDD5F8E-FEBC-47E5-B97E-9C03CF5B0C3D}\InstallFlashPlayer.exe" >> NUL
        5⤵
        
        PID:4484
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\3A799F38-DC9D-48B0-92DB-90325816F5E4\6C289526-1E25-4EDF-BBD2-94BBECE540D4" >> NUL
      4⤵
      PID:4104
- - C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe
    "C:\Windows\SysWow64\Macromed\Flash\FlashHelperService.exe" -start
    3⤵
    - Executes dropped EXE
    PID:4688
- - C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\94430B2B-133A-440E-9AFC-879036CB6F93\026D542E-E58E-4750-905B-7724B01700F3
    "C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\94430B2B-133A-440E-9AFC-879036CB6F93\026D542E-E58E-4750-905B-7724B01700F3" /S=0 /InstallPath="C:\Program Files (x86)\FlashCenter" /TaskBarShortcut=1 /Bootup=1 /DeskShortcut=1 /SetDefaultProgram=0
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM "FlashCenter.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM "FCBrowserManager.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM "FCBrowser.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM "Update.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM "FCTips.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM "FCPlay.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM "FCLogin.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM "FlashRepair.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM "FlashCenterSa.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM "FlashCenterService.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4176
  - - C:\Program Files (x86)\FlashCenter\FlashCenterSa.exe
      "C:\Program Files (x86)\FlashCenter\FlashCenterSa.exe" /start
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:2800

C:\ProgramData\DRM\Test\Test.exe
C:\ProgramData\DRM\Test\Test.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\dllhost.exe
    C:\Windows\system32\dllhost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4444
- - C:\Windows\SysWOW64\dllhost.exe
    C:\Windows\system32\dllhost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4420

C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe
"C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
PID:4052

C:\Program Files (x86)\FlashCenter\FlashCenterSa.exe
"C:\Program Files (x86)\FlashCenter\FlashCenterSa.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Test.exe

Filesize
192KB

MD5
8a8db1e20dc508af5a81fc00b1929468

SHA1
32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

SHA256
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

SHA512
9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

Download Submit
C:\Program Files (x86)\Test.exe

Filesize
192KB

MD5
8a8db1e20dc508af5a81fc00b1929468

SHA1
32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

SHA256
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

SHA512
9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

Download Submit
C:\Program Files (x86)\flashcenter_pp_ax_install_cn.exe

Filesize
6.1MB

MD5
b82aebd7ca5c3a27e432d2939d28b913

SHA1
d37283e380e3e03ef192bf5fc60f4fbf681d596f

SHA256
7adee24593d63985270b87c858ee7a93b0411272252970fb58585729d0c21d9e

SHA512
01d15d8168215bb6c4a194dd44c90391c77775d4affaa9957d161700d29e59f6c3414025953c3a8381c9f7c9becae2c16fe79c5ca3999a4dbd7c9f0a74e6bd29

Download Submit
C:\Program Files (x86)\flashcenter_pp_ax_install_cn.exe

Filesize
6.1MB

MD5
b82aebd7ca5c3a27e432d2939d28b913

SHA1
d37283e380e3e03ef192bf5fc60f4fbf681d596f

SHA256
7adee24593d63985270b87c858ee7a93b0411272252970fb58585729d0c21d9e

SHA512
01d15d8168215bb6c4a194dd44c90391c77775d4affaa9957d161700d29e59f6c3414025953c3a8381c9f7c9becae2c16fe79c5ca3999a4dbd7c9f0a74e6bd29

Download Submit
C:\Program Files (x86)\log.dll

Filesize
109KB

MD5
7bbfe1ddc9f55e621350196b44139ee6

SHA1
918ddd842787d64b244d353bfc0e14cc037d2d97

SHA256
1874b20e3e802406c594341699c5863a2c07c4c79cf762888ee28142af83547f

SHA512
f9d6e03ba65c0df5b12123ff511a0fb73a289dbe3fead025641219ae979ea58709da39b030f745300d210c35bf7db7b9e24cdb66674cdd76b1a44a1f13fc0d8a

Download Submit
C:\Program Files (x86)\log.dll

Filesize
109KB

MD5
7bbfe1ddc9f55e621350196b44139ee6

SHA1
918ddd842787d64b244d353bfc0e14cc037d2d97

SHA256
1874b20e3e802406c594341699c5863a2c07c4c79cf762888ee28142af83547f

SHA512
f9d6e03ba65c0df5b12123ff511a0fb73a289dbe3fead025641219ae979ea58709da39b030f745300d210c35bf7db7b9e24cdb66674cdd76b1a44a1f13fc0d8a

Download Submit
C:\Program Files (x86)\log.dll.dat

Filesize
844KB

MD5
888ed598291dcec6f994caf2697d1a51

SHA1
0b425d56661c8ae459f1e605cf6bf4a41b831c07

SHA256
cb3a425565b854f7b892e6ebfb3734c92418c83cd590fc1ee9506bcf4d8e02ea

SHA512
5ca1b20b163ab098d86dd0e631f5179daf44230d4ee28337c0d4bd6fde0d1a0eceb7b42d73e06f4bf7db5f7402d95045e792d055b099e86a6eead5be87c1f8e9

Download Submit
C:\ProgramData\DRM\Test\Test.exe

Filesize
192KB

MD5
8a8db1e20dc508af5a81fc00b1929468

SHA1
32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

SHA256
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

SHA512
9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

Download Submit
C:\ProgramData\DRM\Test\Test.exe

Filesize
192KB

MD5
8a8db1e20dc508af5a81fc00b1929468

SHA1
32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

SHA256
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

SHA512
9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

Download Submit
C:\ProgramData\DRM\Test\log.dll

Filesize
109KB

MD5
7bbfe1ddc9f55e621350196b44139ee6

SHA1
918ddd842787d64b244d353bfc0e14cc037d2d97

SHA256
1874b20e3e802406c594341699c5863a2c07c4c79cf762888ee28142af83547f

SHA512
f9d6e03ba65c0df5b12123ff511a0fb73a289dbe3fead025641219ae979ea58709da39b030f745300d210c35bf7db7b9e24cdb66674cdd76b1a44a1f13fc0d8a

Download Submit
C:\ProgramData\DRM\Test\log.dll

Filesize
109KB

MD5
7bbfe1ddc9f55e621350196b44139ee6

SHA1
918ddd842787d64b244d353bfc0e14cc037d2d97

SHA256
1874b20e3e802406c594341699c5863a2c07c4c79cf762888ee28142af83547f

SHA512
f9d6e03ba65c0df5b12123ff511a0fb73a289dbe3fead025641219ae979ea58709da39b030f745300d210c35bf7db7b9e24cdb66674cdd76b1a44a1f13fc0d8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
1ea23b77fd91d7fd7a30d3197e3a3597

SHA1
6dd8ecc8a37219e21d0b0ffe333f11be57947e57

SHA256
7bc57cc732ebb3fe3095489c2ed06b5fdc75e91eeb295a92257dbd3c4b8c0ce5

SHA512
32ed4266e44cf0ee357c05914c25c7ed8bd76533b72ee6c35c21171834bee02bd21e106f6227321b3ba13455acfe75f3311a2699bad7ff259992f7ddf40b3b9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_DD1B2DCE2C0FA38E7FCB0B23CDE479E3

Filesize
471B

MD5
51a839ef135f83a428216d3a7d693a15

SHA1
695c3e92079151aa975758cd24e7fc8375743cfd

SHA256
a4a009f312dcdb47769edcfcb46d65effe1581fe0515c7be7bf5017fb7c58e06

SHA512
7e983b8fcec30f6bd9efd767664b47a28f52c9e8c9c48135af8fd89465c01918b7f86144ea7c3351d3da73cc0ae93aa9ec7960bba58e8cbe483bbd173929c773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
d65698cbd0dc7d0b3c8421adb20e3c45

SHA1
dcf7a12be2aa1d1b2bf209ee0c4a2614b698cd9a

SHA256
1e9ced6386b43958c03da1131605d143877bbdc32a17edd8b2483aafffe2202c

SHA512
e838aa81abb9bfc409d8c5200f4d47ec1a33db220a1b4d87d7a36aa2f649ab5aa4e1af019a404fde2c318f2bcc4a7413f85450227cc50010032d54c65f964eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_DD1B2DCE2C0FA38E7FCB0B23CDE479E3

Filesize
426B

MD5
f3be202599efab2ff1fe8ce99c7d3d45

SHA1
5840ea2760cdc5ee479e76fe0576cb053823d87c

SHA256
828cc26c3914f8676d4a8b3b7505b8d186e87c7c8ddd55e3c725ced08be30801

SHA512
905c86f08ee967f724195506c60d50b51845ae06de14805525d9d85325b2d34facb44b6881fb585313470aafd8fa17b7793f8d70f99f8e0332752789bb21f415

Download Submit
C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\3A799F38-DC9D-48B0-92DB-90325816F5E4\6C289526-1E25-4EDF-BBD2-94BBECE540D4

Filesize
11.4MB

MD5
0fb5802e25f68d868e22b4a7ad022bfa

SHA1
e44758dbc0d06b77bf83454ca8290ed75c5ea005

SHA256
8c254952b58cf824730f22c1816cf186ebac508dc0de0cf97fe98e46c5753b7c

SHA512
38d41ce4a9faccdbd05c9fa9cf1a5f6371511fff413ac8e7e3603704a80d83aaaaa92aa68ce9f78cb95e6be593d42c88de1b8d24c728ac6b58e98e1760ff05a3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\3A799F38-DC9D-48B0-92DB-90325816F5E4\6C289526-1E25-4EDF-BBD2-94BBECE540D4

Filesize
11.4MB

MD5
0fb5802e25f68d868e22b4a7ad022bfa

SHA1
e44758dbc0d06b77bf83454ca8290ed75c5ea005

SHA256
8c254952b58cf824730f22c1816cf186ebac508dc0de0cf97fe98e46c5753b7c

SHA512
38d41ce4a9faccdbd05c9fa9cf1a5f6371511fff413ac8e7e3603704a80d83aaaaa92aa68ce9f78cb95e6be593d42c88de1b8d24c728ac6b58e98e1760ff05a3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\450E1060-7822-48C9-BC00-C15E796DCB85\D1B700B9-86BD-4C0F-A422-5775D55F4E05

Filesize
21.7MB

MD5
931aeb9db56de4c99be02326e2351515

SHA1
f09e8a0e767854695082ddf378dde2b584383bca

SHA256
61e40b9869a24a7163709974a4a8ccf139e0a02b7c2ecaf9b4e24040f84dcf99

SHA512
3c09c3bf3c36c2ffc91185c9b643076354517fa1746bcfae6d51fe21675436eb971b1d9ed0587af3ffc64e6fe9670af3b8af7d2db7afb8d695bd29f24f12b457

Download Submit
C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\450E1060-7822-48C9-BC00-C15E796DCB85\D1B700B9-86BD-4C0F-A422-5775D55F4E05

Filesize
21.7MB

MD5
931aeb9db56de4c99be02326e2351515

SHA1
f09e8a0e767854695082ddf378dde2b584383bca

SHA256
61e40b9869a24a7163709974a4a8ccf139e0a02b7c2ecaf9b4e24040f84dcf99

SHA512
3c09c3bf3c36c2ffc91185c9b643076354517fa1746bcfae6d51fe21675436eb971b1d9ed0587af3ffc64e6fe9670af3b8af7d2db7afb8d695bd29f24f12b457

Download Submit
C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\94430B2B-133A-440E-9AFC-879036CB6F93\026D542E-E58E-4750-905B-7724B01700F3

Filesize
67.2MB

MD5
28f880cb670e965548097092887675bc

SHA1
3a58416dd298e1ddb8ce323c82e26a50e100b671

SHA256
c4e02bab30dd1ffc1e2bad6d06dc81cc68e9a3204e4659f47f2b36425a34f4a4

SHA512
b76a0798232c412d40f4fdb45695c0b8d0ae055eb12e3d125d5b06edcee2cae9eca6c9953a421fd47669b391db91d8949b0228d3f9c445790a28eb8b7a4ec45b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\B54233BD-5DCD-4010-B95D-B96ADB55E37F\94430B2B-133A-440E-9AFC-879036CB6F93\026D542E-E58E-4750-905B-7724B01700F3

Filesize
67.2MB

MD5
28f880cb670e965548097092887675bc

SHA1
3a58416dd298e1ddb8ce323c82e26a50e100b671

SHA256
c4e02bab30dd1ffc1e2bad6d06dc81cc68e9a3204e4659f47f2b36425a34f4a4

SHA512
b76a0798232c412d40f4fdb45695c0b8d0ae055eb12e3d125d5b06edcee2cae9eca6c9953a421fd47669b391db91d8949b0228d3f9c445790a28eb8b7a4ec45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\StdUtils.dll

Filesize
99KB

MD5
7abf66bab64e83da7a4da626bc34493a

SHA1
c3adab85d079b75b0c46f6b25fd2a736687624c5

SHA256
cbe5843990076d7cda9fe83aa305d66d3a0ffdcca932ef23114d1b3a491924f9

SHA512
f1beeb7df3e24daa72bdb093ea655d236c601e55f039322676f80c8aace0d39af6fab78be6b6b63e9486473f78dae42a762022f776b55d118c7a20948990dd5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\nsFlashCenterPlug.dll

Filesize
3.3MB

MD5
1b7ddee4ccd3d90362b207f20798012b

SHA1
4f6020fcb325227b7d4bc880f7e30b1168e0cbf7

SHA256
0fe5873389a6fdd86d14b13662e7fd75a4ae9a00bf2257377c862734a23a5540

SHA512
c624e194d297e26413a449579fed2945d7a01b062a1ae23899c21ea4f832cdbffc125fff788bf3b7e2bc5ddfe0bd1b6fab6dd583ef0818718e60e2d046af958f

Download Submit
C:\Windows\SysWOW64\FlashPlayerApp.exe

Filesize
828KB

MD5
8965894b853b70c992ee552d9dfbfaee

SHA1
37fec0993e925720e02534a5bc3ef2813ee85d0b

SHA256
68bcfb2c135674a1ebbfc59123fda922c4dd76a5620bc78f0a500d054f9f459d

SHA512
62a118a25cba7e12a00f71b5123dafcb832ad357b8234ff54d88b002839e1f9a5c39fd511687b8611b19f84d4b7a57638cc3d985ea624a6d2712bdbebf836bbd

Download Submit
C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

Filesize
176KB

MD5
c478453c00faaab2a3d5d708b9e77184

SHA1
ace9c81a4dcafbde8ea2a12bd2b26e78d304028c

SHA256
b29990d069942c7580b985c180b19a1ef26cdecc44867d4e99f09ad73d41cb7e

SHA512
d3796f48f12fd54392c2f9fd2b07abf98b5f9b3a2b829da3386106b44f79e10f81094c67d55013d8f132c56c06f2aa71ef04c9970c0a0e2e981cf199dd6f55d8

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash32_34_0_0_267.ocx

Filesize
11.3MB

MD5
96d8de02992ad7e79b5af29029eb18a8

SHA1
2dd0345031a3a3ad06eb323e2097c4be90edbc6c

SHA256
2b6661b0992c5967a44ddcb4500e7d9f21ff9b84f6608e86bbc4dbdb9c4affc8

SHA512
69b98b5b37a155657d020b0f1c0253876fc51d88cac2072facebe8e0c5124d8ad5d5697674486eeafa218c570305276845c6df57e87438f3ad79f23ff72679ea

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe

Filesize
2.0MB

MD5
02f6f0f827c509a25a8b873a5a7266d4

SHA1
e09c5c3aadd9adcef87849bd0d0984f5db8e474b

SHA256
5e5e927a204a05185dac554ad25883011612cf18fffa213b18ab3c4c35b54221

SHA512
97891a1ee623ab6124639d7d174dbb52370caf180682f92533bd06be41b4d7ddae4c2ccdb7ee2cae650a07b5c38a6cf67d4d1c3a0d63c596620786ef2e4c144c

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashHelperService.exe

Filesize
2.0MB

MD5
02f6f0f827c509a25a8b873a5a7266d4

SHA1
e09c5c3aadd9adcef87849bd0d0984f5db8e474b

SHA256
5e5e927a204a05185dac554ad25883011612cf18fffa213b18ab3c4c35b54221

SHA512
97891a1ee623ab6124639d7d174dbb52370caf180682f92533bd06be41b4d7ddae4c2ccdb7ee2cae650a07b5c38a6cf67d4d1c3a0d63c596620786ef2e4c144c

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashInstall32.log

Filesize
3KB

MD5
60785db6fb302085f60bfaba433e0e4e

SHA1
376247f0d82d825fedf94402a97f9e600588d1e9

SHA256
2849c3c2bcbd8600cd5407f2f3407af85887656a0a39ced8cde7f8778f1053d5

SHA512
4aeb7ec1df0ad24fe53fa862e23d2004a311c92418356f48db80b76408ae8de7d6c0473fa1338664a41f2b373b5b67e5a27544c5b7819adb32c452df04ed87a8

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashInstall32.log

Filesize
6KB

MD5
fa76f78a16f09476ab0ccc9250ea3bd2

SHA1
f60cb5119592cf658d2a95380c4a9a3d83eac1d9

SHA256
99923da0ae67e1e312821280941eab0aa60cc22bc944c41af1d00eccd62a0045

SHA512
b2084c4b492f69529f9690ad1e09b481fb4faa2d80eb0d9de8fab45f50327d3f1ffc7be4c33d784ebde9206b3c2d1aae7d31dcf3c1b156e9da91583705c7046c

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_34_0_0_267_ActiveX.exe

Filesize
1.5MB

MD5
92a11b51861b5aeaf587735ae77f97d0

SHA1
afa1e4256e3360b8cbdce1cac14eaea78875c62c

SHA256
163980a460122cea22854cb3d247d93094a24a6094439a5df8eca10d4b126ced

SHA512
c73c7a4787cea3e8230356cabd844b1f6565e640d3268097901d7a5be2073cd02c6c142f6e609a019a9c6d03d690a54968900bc3b3eb70f3954d5744b6ccc82f

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_34_0_0_267_ActiveX.exe

Filesize
1.5MB

MD5
92a11b51861b5aeaf587735ae77f97d0

SHA1
afa1e4256e3360b8cbdce1cac14eaea78875c62c

SHA256
163980a460122cea22854cb3d247d93094a24a6094439a5df8eca10d4b126ced

SHA512
c73c7a4787cea3e8230356cabd844b1f6565e640d3268097901d7a5be2073cd02c6c142f6e609a019a9c6d03d690a54968900bc3b3eb70f3954d5744b6ccc82f

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_34_0_0_267_pepper.exe

Filesize
1.5MB

MD5
927ab609132a68d2c29b3a97c1ee92cd

SHA1
9fa31d9248ecb45eef43b883411d76e276e59f2a

SHA256
b73e16205b411faad9a71cde5e28f3d4640c4675c299fdb78810462c1454d2a7

SHA512
6a34e87f4afa10f335bba09b7246c28f306e4bf1f8f801b010b87dbc43bec89e62bfb87a66a291254237a2748ed44277f18c8f3899a4bf8634bea244e45c695c

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_34_0_0_267_pepper.exe

Filesize
1.5MB

MD5
927ab609132a68d2c29b3a97c1ee92cd

SHA1
9fa31d9248ecb45eef43b883411d76e276e59f2a

SHA256
b73e16205b411faad9a71cde5e28f3d4640c4675c299fdb78810462c1454d2a7

SHA512
6a34e87f4afa10f335bba09b7246c28f306e4bf1f8f801b010b87dbc43bec89e62bfb87a66a291254237a2748ed44277f18c8f3899a4bf8634bea244e45c695c

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{05612427-AF1B-46AE-9076-4D1E5542983B}\fpb.tmp

Filesize
1.5MB

MD5
4587c6a4c5f90e760fffc665abbb76d4

SHA1
38b5c8a110f29cd3d861958bf4842c9efeaa9dc3

SHA256
f0c1bd5b87d52b4f483ecb8aec938f20bf560ecccb73b91740a3e0eb29317402

SHA512
2edfbad33d65257c041a28d6f93dce9b05f27bee0d55b074eac55ad7e4a3deac48f33cea536480d0769bce315f6faa0a49af42d332996128d8b25a6f0f33e8c4

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{2ECCA471-4E8F-40B1-8185-092546F121C5}\fpb.tmp

Filesize
1.5MB

MD5
92a11b51861b5aeaf587735ae77f97d0

SHA1
afa1e4256e3360b8cbdce1cac14eaea78875c62c

SHA256
163980a460122cea22854cb3d247d93094a24a6094439a5df8eca10d4b126ced

SHA512
c73c7a4787cea3e8230356cabd844b1f6565e640d3268097901d7a5be2073cd02c6c142f6e609a019a9c6d03d690a54968900bc3b3eb70f3954d5744b6ccc82f

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{2ECCA471-4E8F-40B1-8185-092546F121C5}\fpb.tmp

Filesize
1.5MB

MD5
92a11b51861b5aeaf587735ae77f97d0

SHA1
afa1e4256e3360b8cbdce1cac14eaea78875c62c

SHA256
163980a460122cea22854cb3d247d93094a24a6094439a5df8eca10d4b126ced

SHA512
c73c7a4787cea3e8230356cabd844b1f6565e640d3268097901d7a5be2073cd02c6c142f6e609a019a9c6d03d690a54968900bc3b3eb70f3954d5744b6ccc82f

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{592E4751-40A4-4416-B6DB-2ABB7BEBE12F}\InstallFlashPlayer.exe

Filesize
11.2MB

MD5
d8f584be50358ff8b50df86a163a44f5

SHA1
c8868f41c5bcb14d6f574ef83f4fe81b283abc9a

SHA256
d07855902ca6923b488708f0b8bcbd49540a68fb42f26f8418bc73f5c75c67b2

SHA512
53b62d6f114980bebca84f07c9ae2144aaef490643177d0f4e100ebca54e1225eeace60decf704917302172ea42bad3baf92c05df8d96b5ea977d58c5715c66b

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{592E4751-40A4-4416-B6DB-2ABB7BEBE12F}\InstallFlashPlayer.exe

Filesize
11.2MB

MD5
d8f584be50358ff8b50df86a163a44f5

SHA1
c8868f41c5bcb14d6f574ef83f4fe81b283abc9a

SHA256
d07855902ca6923b488708f0b8bcbd49540a68fb42f26f8418bc73f5c75c67b2

SHA512
53b62d6f114980bebca84f07c9ae2144aaef490643177d0f4e100ebca54e1225eeace60decf704917302172ea42bad3baf92c05df8d96b5ea977d58c5715c66b

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{63A84E58-BCC8-46AD-B9B0-937903F30E58}\fpb.tmp

Filesize
1.5MB

MD5
927ab609132a68d2c29b3a97c1ee92cd

SHA1
9fa31d9248ecb45eef43b883411d76e276e59f2a

SHA256
b73e16205b411faad9a71cde5e28f3d4640c4675c299fdb78810462c1454d2a7

SHA512
6a34e87f4afa10f335bba09b7246c28f306e4bf1f8f801b010b87dbc43bec89e62bfb87a66a291254237a2748ed44277f18c8f3899a4bf8634bea244e45c695c

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{63A84E58-BCC8-46AD-B9B0-937903F30E58}\fpb.tmp

Filesize
1.5MB

MD5
927ab609132a68d2c29b3a97c1ee92cd

SHA1
9fa31d9248ecb45eef43b883411d76e276e59f2a

SHA256
b73e16205b411faad9a71cde5e28f3d4640c4675c299fdb78810462c1454d2a7

SHA512
6a34e87f4afa10f335bba09b7246c28f306e4bf1f8f801b010b87dbc43bec89e62bfb87a66a291254237a2748ed44277f18c8f3899a4bf8634bea244e45c695c

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{69263BD8-CDB1-4441-B955-5C8C172C3F85}\fpb.tmp

Filesize
597KB

MD5
4b1c20af7a0a89b3e80f7b4eeb0bf494

SHA1
a8fa0557fd3b84958120eca6db53bb9200faef6d

SHA256
8bcfbe1af80a015637c443e9dffd3aeac3124150cf7c8abccc774fc1c452ac23

SHA512
048fa1a1f5b1f3f94a6a8c5f96f4e459d807a14f48538fad421ea79183776e7a85f29158a19754c10be2044e89fa7d59a5c333b8f6d2345c1724bfabdbe48d11

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{926BA85C-A32F-4B42-9A06-AA044D893EE0}\fpb.tmp

Filesize
597KB

MD5
d138a6a7620137ad96640a5e6ce36997

SHA1
137fe2bd1081fe0a826a9e69f21a8693cadf36fd

SHA256
2a6d32b26eb26dfb35799f19f4cd8565446c4baa9b82e717f865ec49a7c56ed8

SHA512
555e127775c5e0ea18c9fcc65376e05daf07f7b57ae3b8581b8d1a1ec7c35d78c335631b47681f7132f7cd4a6c0e473b081f52caa8cfaa9fbd32240518662d83

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{B4046C84-11D5-430E-AC06-B40D30DE7B1B}\fpb.tmp

Filesize
640KB

MD5
6d82d7cf1298af49c5b2d249120520b3

SHA1
734f7976ca523e247fac8cc6e4119a18c88fb4c6

SHA256
0b90708a015664ac53a3dff84fc8c30fed18c3a35af65043c3e8a58b3b7c2749

SHA512
858fe93f459f4549d7bca9746ff3327ba44f084f97795926ad55fec1668c979ce905bb4c1f0e8fb36fe87da4c67a9287b8b5ff4ed988d745c60c378b89e245ad

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{BDDD5F8E-FEBC-47E5-B97E-9C03CF5B0C3D}\InstallFlashPlayer.exe

Filesize
6.2MB

MD5
2f89a84f4bf7836c59bb7965efef1bb5

SHA1
f274343f049b5cc0e625f45291aa2437c97bb019

SHA256
1c5ea088b99f8131f84b012cc708e6639680eb831e5a1c96f8b84ff7ddcd54c6

SHA512
6b88261f0c9f4d5f8f94c8c896e7b9af86c419befe503f2ffaf12b1e0a7eeb32cd2301c7ba3e884f9f32e291a78a2e8236ab24e91aaffefceaaa12c1855a6e66

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{E96A23F5-7F8C-4F9B-992A-FCA7E4D3B053}\InstallFlashPlayer.exe

Filesize
5.7MB

MD5
2f207cad8c31bc2ec4f8d0753f610017

SHA1
84d64daabcad350646c00da84be7834fe693164d

SHA256
61b67632da08af0a6d447467ffa0c0f616158237e8cf552eb6efef12bedd9025

SHA512
53579912b0e59f44821bfd6999deaac64d11890fd0a66c16ffe19ce2cefb103f0357dd8914e95976942f1304b75976f847d79f15f303b0580365e2f140746444

Download Submit
C:\Windows\System32\Macromed\Flash\Flash64_34_0_0_267.ocx

Filesize
13.2MB

MD5
5a193e8a0c03afc7e30c14ae26c4089b

SHA1
c5fd695479d2f86f647418691522601341464841

SHA256
9b39ace01e557a4a4d469bbb4ec7adf27d18b9cf3b1cb96ab201acdefabae9f0

SHA512
c639a615710c613796090e85b21c5a4cdeeb8f4ba88d4dbab9fefba89ac65b0fa21c3856d7e86734a067c58516b820291a346c3f9627e8b3e5b86fb6b98d475e

Download Submit
C:\Windows\System32\Macromed\Flash\FlashUtil64_34_0_0_267_ActiveX.exe

Filesize
1.0MB

MD5
945a67e2b3b0b91ea00d9847d7748ce3

SHA1
86309d65bbea16579f4e2fb74d781dc964905a3c

SHA256
66f881d8e5a18c55432c10acd6b222322df1930730ac2bd438649c9371fd7085

SHA512
95c86f3901a51ec0853076c9f3bba379a3b4ac03239496849ebeed363a00cb15e2fe050693c2b945552e493347243ce8e50556bfe39a5ad77bd1d1423728bd4d

Download Submit
C:\Windows\System32\Macromed\Flash\FlashUtil64_34_0_0_267_pepper.exe

Filesize
1.0MB

MD5
c370b2dce634ab5e7ebff39e273c94fe

SHA1
83662588695aa6635d14c7718fe0d40cee5f4a5b

SHA256
7627aea0f2cfa9d441dc7082f2cf3f2ddf1b49dbced3c9d806365ceca41c2748

SHA512
4f380682b6e8f9a9758e7f1dcea4c6ebc06712217521a2c93fe55219a506e120dfe58669448e3c158c0f4ec2426f0025bcabea992d703cfaaaeb2679dc37d08e

Download Submit
C:\Windows\System32\Macromed\Temp\{0B0EE7FC-623F-401A-AF18-C8E5C0CADDD9}\fpb.tmp

Filesize
1.0MB

MD5
945a67e2b3b0b91ea00d9847d7748ce3

SHA1
86309d65bbea16579f4e2fb74d781dc964905a3c

SHA256
66f881d8e5a18c55432c10acd6b222322df1930730ac2bd438649c9371fd7085

SHA512
95c86f3901a51ec0853076c9f3bba379a3b4ac03239496849ebeed363a00cb15e2fe050693c2b945552e493347243ce8e50556bfe39a5ad77bd1d1423728bd4d

Download Submit
C:\Windows\System32\Macromed\Temp\{3064C40F-2B43-4A3B-8784-6414903B5B5C}\fpb.tmp

Filesize
731KB

MD5
20b57ccbc2750893b600216fc332f563

SHA1
876cbb47abbb0763cf49f1f9ede79c31e0cb2322

SHA256
dc8bc53f400fff767af37448abf66ffae3db0cff3d5a969f9745e1cec9d525c4

SHA512
995bd9b6af549ff908e641ec2d7a47b075281bbd61273ebde8acbe5bb3f91d4497d963a0c58ad7a1c2d401d14f8cdd7e26d5c00b1900f445dde7d3f41c41ffa7

Download Submit
C:\Windows\System32\Macromed\Temp\{7A636182-855B-43B9-80F1-59182A667237}\fpb.tmp

Filesize
684KB

MD5
2dbdd6695988b06bc43a46cb1b9532ec

SHA1
9f70a036c9045b27420dfd422adf58a82e28e874

SHA256
7aada82b9f776b4357b1beca83b1ca389c737965aab094e7f2e38b7cf8f937fc

SHA512
6be05921b5d668a2c0972829e1264115cb1ff9aae91aaaad495365ac59610d8a5012d605b40f9897f0088ad92bb5df793102d9669b01e6bc1e5b98c88178280d

Download Submit
C:\Windows\System32\Macromed\Temp\{8F7E2AA2-4B40-4F68-9BDC-A6D170804428}\fpb.tmp

Filesize
1.0MB

MD5
c370b2dce634ab5e7ebff39e273c94fe

SHA1
83662588695aa6635d14c7718fe0d40cee5f4a5b

SHA256
7627aea0f2cfa9d441dc7082f2cf3f2ddf1b49dbced3c9d806365ceca41c2748

SHA512
4f380682b6e8f9a9758e7f1dcea4c6ebc06712217521a2c93fe55219a506e120dfe58669448e3c158c0f4ec2426f0025bcabea992d703cfaaaeb2679dc37d08e

Download Submit
C:\Windows\system32\Macromed\Flash\FlashInstall64.log

Filesize
4KB

MD5
293967991893149fc678cbb8cbd467b6

SHA1
aeb84b13fdc11ece425b8e3c3a2089d50ee5374a

SHA256
05dca7e4eb874819ef8e82b88dd6700b07c78c36662143e2c10c58456d9d25b1

SHA512
232a4179e7a1e7f23bef394aab26af09a336273a8385f22db106e41e71ef822eac36da888773986b8001362e7fa44343fb927c97217198666732767297c4444a

Download Submit
memory/1500-150-0x0000000001320000-0x00000000013EE000-memory.dmp

Filesize
824KB

Download
memory/1500-153-0x0000000001320000-0x00000000013EE000-memory.dmp

Filesize
824KB

Download
memory/1500-152-0x0000000001320000-0x00000000013F5000-memory.dmp

Filesize
852KB

Download
memory/1500-149-0x0000000001320000-0x00000000013F5000-memory.dmp

Filesize
852KB

Download
memory/1500-148-0x0000000001320000-0x00000000013F5000-memory.dmp

Filesize
852KB

Download
memory/4228-156-0x0000000000C30000-0x0000000000CFE000-memory.dmp

Filesize
824KB

Download
memory/4228-163-0x0000000000C30000-0x0000000000D05000-memory.dmp

Filesize
852KB

Download
memory/4228-164-0x0000000000C30000-0x0000000000CFE000-memory.dmp

Filesize
824KB

Download
memory/4228-154-0x0000000000C30000-0x0000000000D05000-memory.dmp

Filesize
852KB

Download
memory/4404-157-0x00000000028D0000-0x00000000029A5000-memory.dmp

Filesize
852KB

Download
memory/4404-158-0x00000000028D0000-0x000000000299E000-memory.dmp

Filesize
824KB

Download
memory/4404-141-0x00000000028D0000-0x00000000029A5000-memory.dmp

Filesize
852KB

Download
memory/4404-143-0x00000000028D0000-0x000000000299E000-memory.dmp

Filesize
824KB

Download
memory/4420-171-0x00000000004C0000-0x0000000000595000-memory.dmp

Filesize
852KB

Download
memory/4420-172-0x00000000004C0000-0x000000000058E000-memory.dmp

Filesize
824KB

Download
memory/4420-168-0x00000000004C0000-0x000000000058E000-memory.dmp

Filesize
824KB

Download
memory/4420-167-0x00000000004C0000-0x0000000000595000-memory.dmp

Filesize
852KB

Download
memory/4420-166-0x00000000004C0000-0x0000000000595000-memory.dmp

Filesize
852KB

Download
memory/4444-170-0x0000000000E40000-0x0000000000F0E000-memory.dmp

Filesize
824KB

Download
memory/4444-160-0x0000000000E40000-0x0000000000F15000-memory.dmp

Filesize
852KB

Download
memory/4444-161-0x0000000000E40000-0x0000000000F15000-memory.dmp

Filesize
852KB

Download
memory/4444-162-0x0000000000E40000-0x0000000000F0E000-memory.dmp

Filesize
824KB

Download
memory/4444-169-0x0000000000E40000-0x0000000000F15000-memory.dmp

Filesize
852KB

Download
memory/4976-249-0x00000000056C1000-0x00000000056C4000-memory.dmp

Filesize
12KB

Download